GRC is touching just about everyone these days. A lot has been written about the CFO, CRO, CCO and CIO and their roles in deploying GRC technologies. Mike Rothman at the Daily Incite writes here about the CISO’s role in deploying GRC solutions and makes the point that CISO’s should be focused not on implementing specific controls but on the program (my emphasis added). We could not agree more. A security program identifies the key areas of focus and prioritizes activities accordingly. A bottom-up approach doesn’t necessarily allocate resources to the high risk areas, and, given that most companies are operating with increasingly scare financial resources, a risk-based approach is the best way to allocate resources.

The subprime mortgage crisis has sparked a lot of discussion about risk management and, specifically, whether banks that suffered huge losses did so as a result of failures in the risk management function or in business management in general. The general business management failures occurred in situations where the risk management identified unacceptable risks but the business managers in charge of risk mitigation opted not to mitigate the risk(s).

This failure of exercising good business judgement in spite of warnings from the risk management function is exactly what the CEO at Freddie Mac, Richard F. Syron, is being criticized for in an article in today’s New York Times. Reporters Charles Duhigg and Eric Dash interviewed former executives and others associated with Freddie Mac, and their article paints a picture of an executive team, led by Syron, taking unacceptable risks despite the warnings from his Chief Risk Officer and others.

If senior management, in conjunction with the board, cannot be trusted to make the correct decisions about risk management, then there needs to be better transparency about the risks being assumed by the company, and shareholders can make their own decisions about whether to hold the stock or not. In this case, according to the article, “shoddier” underwriting standards exposed the company to too much risk, and Syron was warned of this situation. But did shareholders have a view into these changing underwriting standards?

Whether or not Freddie Mac could have avoided their recent meltdown given their market share and decline of the housing market is an open question. What is clear is that the risk/reward tradeoff was not managed well and that while shareholders had full visibility to the company’s earnings (the reward side of the equation), there is little doubt that the company did not provide similar transparency to the risk side of the equation. My guess is that increased regulation or shareholder demands will start to encourage better reporting of risks in the business, and not the kind of reporting you currently find in most 10-Ks.

We’ve discussed in this blog the role of IT in GRC, mostly in terms of how IT manages risk inherent in delivering IT services. But there’s another risk that IT should be addressing, and that is the risk of disparate risk data marts scattered across the enterprise. I’ve written about it here.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.